0

我已经使用 helm chart 在 kubernetes 上安装了 elasticsearch。我需要启用 xpack 安全性,因为我需要使用 elasticsearch-certutil 创建证书。我在 Kubernetes 上找不到它的位置。

我现在得到的错误

2019-06-25T10:20:56.882057213Z "Caused by:
org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory",
I 2019-06-25T10:20:56.882063036Z "atorg.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61) ~[?:?]",
I 2019-06-25T10:20:56.882068596Z "at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:382) ~[?:?]",
I 2019-06-25T10:20:56.882074256Z "at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]",
I 2019-06-25T10:20:56.882079897Z "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426) ~[?:?]",
I 2019-06-25T10:20:56.882085280Z "at java.util.HashMap.forEach(HashMap.java:1333) ~[?:?]",
I 2019-06-25T10:20:56.882120138Z "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:423) ~[?:?]",
I 2019-06-25T10:20:56.882136977Z "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:119) ~[?:?]",
I 2019-06-25T10:20:56.882143717Z "at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:144) ~[?:?]",
I 2019-06-25T10:20:56.882149641Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]",
I 2019-06-25T10:20:56.882155163Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]",
I 2019-06-25T10:20:56.882168785Z "at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]",
I 2019-06-25T10:20:56.882175111Z "at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]",
I 2019-06-25T10:20:56.882181018Z "at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]",
I 2019-06-25T10:20:56.882228253Z "at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882234700Z "at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882240443Z "at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882246040Z "at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882251927Z "at org.elasticsearch.node.Node.<init>(Node.java:308) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882257697Z "at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882263355Z "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882271710Z "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882318705Z "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882344091Z "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.1.1.jar:7.1.1]",

这是我的配置 esConfig:

elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsea/config/certs/ca.p12

xpack.security.http.ssl.enabled: 真 xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/ca.p12 xpack.security.http.ssl.keystore.path: / usr/share/elasticsearch/config/certs/ca.p12

我使用 kubectl exec -it elasticsearch-master-0 -- /bin/bash 进入容器并在确切路径 /usr/share/elasticsearch/certs 中生成证书

4

1 回答 1

0

因为您使用的是舵图,所以您需要在模板中设置所有这些内容。

首先你应该熟悉https://github.com/helm/charts/tree/master/stable/elasticsearch

其次,您需要检查其中一个 pod 出了什么问题,elasticsearch-master-2因为它是CrashLoopBackOff. 您可以使用kubectl describe pods elasticsearch-master-2并检查底部的事件来做到这一点。

至于 Xpack 和启用弹性搜索内部监控

需要版本 6.3+ 和 oss 定义的标准非存储库。从 6.3 开始,Xpack 部分免费并默认启用。您需要设置一个新配置以启用这些内部指标的收集。(https://www.elastic.co/guide/en/elasticsearch/reference/6.3/monitoring-settings.html

为此,通过此掌舵图覆盖并进行以下三个更改:

image.repository: docker.elastic.co/elasticsearch/elasticsearch
cluster.xpackEnable: true
cluster.env.XPACK_MONITORING_ENABLED: true

注意:要查看这些更改,您需要更新您的 kibana 存储库 image.repository: docker.elastic.co/kibana/kibana 而不是 oss 版本

您还应该阅读Get a Shell to a Running Container,其中说明您可以连接到pod.

在您的示例中使用kubectl exec -it elasticsearch-master-0 -- /bin/bash

于 2019-06-24T13:29:52.693 回答